A FastAPI implementation of the openEO Workspaces Extension for managing cloud storage workspaces with KeyCloak authentication and Elasticsearch backend.
- OpenEO API Compliance: Full implementation of the openEO Workspaces Extension API
- OAuth2/OIDC Auth: Integration with KeyCloak for authentication and authorization
- Elasticsearch Backend: Scalable NoSQL database for workspace metadata
- Container Ready: Docker image and docker-compose for local development
- Kubernetes Ready: Complete Helm chart for production deployment
- RESTful API: FastAPI with automatic OpenAPI documentation
- Python 3.11+
- Docker & Docker Compose (for containerized deployment)
- Kubernetes 1.21+ (for Helm deployment)
-
Clone the repository
git clone <repository-url> cd openeo-workspaces-api
-
Install dependencies
pip install -r requirements.txt
-
Configure environment
cp .env.example .env # Edit .env with your KeyCloak and Elasticsearch settings -
Run with docker-compose
docker-compose up -d
-
Access the API
- API Docs: http://localhost:8000/api/v1/docs
- API Root: http://localhost:8000/api/v1
- Health Check: http://localhost:8000/health
- KeyCloak Admin: http://localhost:8080/admin (admin/admin)
GET /api/v1/workspace_providers- List supported workspace providersGET /health- Health check
GET /api/v1/workspaces- List user's workspacesPOST /api/v1/workspaces- Create a new workspaceGET /api/v1/workspaces/{workspace_id}- Get workspace detailsPATCH /api/v1/workspaces/{workspace_id}- Update workspace metadataDELETE /api/v1/workspaces/{workspace_id}- Delete workspace
# API
DEBUG=false
API_VERSION=v1
# KeyCloak
KEYCLOAK_SERVER_URL=https://keycloak.example.com
KEYCLOAK_REALM=openeo
KEYCLOAK_CLIENT_ID=openeo-workspaces
KEYCLOAK_CLIENT_SECRET=your-secret
KEYCLOAK_ISSUER=
KEYCLOAK_VERIFY_TLS=true
KEYCLOAK_VERIFY_AUDIENCE=true
KEYCLOAK_JWKS_CACHE_TTL_SECONDS=300
# Elasticsearch
ELASTICSEARCH_HOST=localhost
ELASTICSEARCH_PORT=9200
ELASTICSEARCH_USER=elastic
ELASTICSEARCH_PASSWORD=password
ELASTICSEARCH_SCHEME=httpsBuild and run the container:
docker build -t openeo-workspaces-api:0.1.0 .
docker run -p 8000:8000 \
-e KEYCLOAK_SERVER_URL=https://keycloak.example.com \
-e ELASTICSEARCH_HOST=elasticsearch.example.com \
openeo-workspaces-api:0.1.0-
Add Helm repositories
helm repo add elastic https://helm.elastic.co helm repo add codecentric https://codecentric.github.io/helm-charts helm repo update
-
Install the chart
helm install openeo-workspaces ./chart \ --namespace openeo \ --create-namespace \ --values chart/values.yaml
-
Configure external services (if not using chart dependencies)
helm install openeo-workspaces ./chart \ --set keycloak.external.enabled=true \ --set keycloak.external.serverUrl=https://keycloak.example.com \ --set elasticsearch.external.enabled=true \ --set elasticsearch.external.host=elasticsearch.example.com
-
Verify deployment
kubectl get pods -n openeo kubectl logs -n openeo svc/openeo-workspaces-api
The API supports the following workspace providers:
- Intent: create, register
- Parameters:
aws_access_key_id: AWS access keyaws_secret_access_key: AWS secret keybucket_name: S3 bucket name
curl https://openeo.example/api/v1/workspace_providerscurl -X POST https://openeo.example/api/v1/workspaces \
-H "Authorization: Bearer {token}" \
-H "Content-Type: application/json" \
-d '{
"intent": "create",
"type": "s3",
"title": "My Workspace",
"description": "A workspace for analysis results",
"parameters": {
"bucket_name": "my-bucket"
}
}'curl https://openeo.example/api/v1/workspaces \
-H "Authorization: Bearer {token}"curl https://openeo.example/api/v1/workspaces/{workspace_id} \
-H "Authorization: Bearer {token}"curl -X PATCH https://openeo.example/api/v1/workspaces/{workspace_id} \
-H "Authorization: Bearer {token}" \
-H "Content-Type: application/json" \
-d '{
"title": "Updated Title",
"description": "Updated description"
}'curl -X DELETE https://openeo.example/api/v1/workspaces/{workspace_id} \
-H "Authorization: Bearer {token}"The API uses OAuth2/OIDC via KeyCloak:
- Client obtains a Bearer token from KeyCloak
- Client includes token in
Authorization: Bearer {token}header - API validates token signature with KeyCloak's public keys
- User ID extracted from token's
subclaim - All workspace operations scoped to authenticated user
Get an access token (client credentials flow):
TOKEN=$(curl -s -X POST "https://keycloak.example.com/realms/openeo/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=openeo-workspaces" \
-d "client_secret=<client-secret>" | python -c 'import json,sys;print(json.load(sys.stdin)["access_token"])')
curl https://openeo.example/api/v1/workspaces \
-H "Authorization: Bearer ${TOKEN}".
├── workspace_service/
│ ├── __init__.py
│ ├── config.py # Configuration settings
│ ├── auth.py # KeyCloak authentication
│ ├── db.py # Elasticsearch client
│ ├── models.py # Pydantic models
│ └── routes/
│ ├── providers.py # Workspace providers endpoints
│ └── workspaces.py # Workspace CRUD endpoints
├── chart/
│ ├── Chart.yaml
│ ├── values.yaml
│ └── templates/ # Kubernetes manifests
├── main.py # FastAPI application
├── Dockerfile
├── docker-compose.yml
├── requirements.txt
├── setup.py
└── README.md
pip install pytest pytest-asyncio
pytest tests/pip install black isort
black workspace_service/ main.py
isort workspace_service/ main.pypip install flake8
flake8 workspace_service/ main.pyElasticsearch cannot connect:
- Verify
elasticsearchservice is running - Check
ELASTICSEARCH_HOSTandELASTICSEARCH_PORTsettings - Ensure network connectivity between containers
KeyCloak certificate errors:
- In development, SSL verification is disabled for convenience
- For production, ensure proper certificates and set
ELASTICSEARCH_SCHEME=https
401 Unauthorized:
- Token has expired or is invalid
- Verify token is included in
Authorizationheader - Check KeyCloak settings in
.env
404 Not Found:
- Workspace doesn't exist or doesn't belong to user
- Check workspace_id in URL
500 Internal Server Error:
- Check application logs with
docker-compose logs openeo-workspaces-api - Verify database connections
Apache License 2.0 - See LICENSE file for details
- OpenEO Consortium: https://openeo.org
- Email: openeo.psc@uni-muenster.de